I had a couple of unused FIDO2 security keys (YubiKeys) from when I had a Coinbase account - I got them working with my password manager, which has recently enabled FIDO2, all good! But I have questions:
Are passwords irrelevant when you use highly secure FIDO2 keys? Can my primary login password be “password” or “123456789”, so long as the FIDO2 is deployed? Not that I would do that… but could I do it safely?
I power-cycled my Android mobile device, and I’m still logged into the password manager. Then I did the same with my laptop… and I was still logged in to it. I thought the behavior would be that it would demand the key every time I tried to use the app on either device. So the behavior isn’t what I thought it would be. It’s less hassle, but seems less secure. Couldn’t someone steal the session key / session ID / session cookie, and get in even if the session was originally created using the FIDO2?
I’m going to run FIDO2 with the TOTP authentication app for a while, then if it’s OK, remove the authentication app, but I’m wondering if FIDO2 is a solution looking for a problem in my case.
I get it - if you’re a public figure or a defense or vital infrastructure or financial organization then you need FIDO2, but I’m not sure how it makes me, Joe Anonymous, safer than TOTP authentication.
But everyone should abandon text-message based authentication for sure, if possible. Too much SIM-jacking out there.
I have 2 FIDO2 security keys and use them to secure various accounts but you have to remove other accepted methods to authenticate. If just entering a password is allowed then there’s no additional security.
My password managers log out after a preset time and certainly don’t stay logged in after a powercycle.
The authenticator apps work but I don’t like them as much as a physical key. Google authethenticator can be syncd across devices meaning if youre google account is hacked someone else gets access to your authenticator codes. Some authenticator apps only allow you to install them on one device but then you have to go through a recovery process if you lose it.
With 2 physical keys registered on a site if you lose one then you use the other one to get in and then remove the lost and (add another new one so you always have 2 in place). If someone finds your physical key they don’t have your password so this is why you should still keep your password strong.
I’m still trying to wrap my head around this so please correct me if I’ve misunderstood something.
I discovered that Microsoft offers FIDO2 authentication but in a strange way… a given physical key is only usable with one computer. That makes it much less useful as a secure way to recover. Let’s say your laptop breaks or gets stolen. Well, what good is the key if it only works with the device you can’t use?
I’m using FIDO2 in parallel with TOTP MFA for my password manager and it’s interesting… I actually think it’s a useful piece of travel kit. You stick the FIDO2 key in your hotel safe, if your phone is broken or stolen, then I could recover my password manager to any arbitrary piece of hardware. From there, I get into anything. This keeps you from having to carry two phones to accomplish the same mission.
I don’t think I’m ready to switch to only FIDO2 for the password manager, though. I do work for several multinational Fortune 500s, and only one of them so far flat-out requires mobile phone passkeys or FIDO2 (I chose this because my phone is too old to support passkeys). The rest are OK with TOTP MFA. None of them are OK with text-based authentication!
Only one Bank that I know of offers FIDO2 as an option- Bank of America. Fidelity and Schwab offer TOTP. The rest? Blech… text-based authentication. Horrible.
Thanks for this additional information. I agree that having your FIDO2 key tied to a particular device makes it much less useful as recovery method. My backup phone is older and has some trouble using FIDO2 keys but I’ll get a newer one soon. I’d like to use my FIDO2 keys over TOTP for my financial accounts too.
REALLY SICK THING ABOUT MICROSOFT… if you keep telling them “I need another authentication method” and keep clicking through, eventually you get to… IT ASKS TO SEND A CODE TO YOUR PHONE!
I have two passkeys, MFA (which is replicated and backup offline), and a recovery email that has never been exposed in the wild. I only use it for account recovery and such.
